Am 14.01.2016 um 20:09 schrieb Neal Gompa:
On Thu, Jan 14, 2016 at 2:00 PM, Josh Boyer <jwboyer@xxxxxxxxxxxxxxxxx> wrote:On Thu, Jan 14, 2016 at 1:54 PM, Neal Gompa <ngompa13@xxxxxxxxx> wrote:On Thu, Jan 14, 2016 at 1:49 PM, Samuel Sieb <samuel@xxxxxxxx> wrote:On 01/14/2016 07:56 AM, Neal Gompa wrote:Aside from the DNF issue, is there anything else I'm missing in relation to kmods in Fedora?If you have secure boot, you have to go through the process to sign the kernel modules you build and register the key with the boot system.That would be something our build system (Koji, etc.) would handle if we allowed them again, right? After all, I believe Koji handles our kernel signing, too.No, it would not. The kernel modules are signed with an ephemeral cert as part of the kernel build process. They are not signed with the Fedora cert used for Secure Boot. The vmlinuz and grub2 binaries are signed with the Secure Boot cert. The tool that does the signing only works with PECoff binaries and the kernel modules are not PECoff. So no, the build system does not support signing modules outside of the normal kernel build.So that would mean in order to make kernel modules build to work outside of the kernel build process, we would need a way to add more certs that would be accepted by the kernel and grub, right? I assume you'd want to do the ephemeral cert process for kmod builds too?
it is not supported by the kernel maintainers for a lot of reasons accept it or become "the kernel maintainers"
Attachment:
signature.asc
Description: OpenPGP digital signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
